Guide To Compliance: The Utah Consumer Privacy Act (UCPA)

What is UCPA?

The UCPA is a new law passed unanimously by the Utah State Legislature as Senate Bill 227, Consumer Privacy Act. The law will take effect on Dec. 31, 2023, giving businesses time to prepare for compliance.

The UCPA aims to protect the data privacy of Utah consumers by giving them tools to control the use of their data in some situations. 

Under the new legislation, consumers have the right to:

• Find out if their data is being processed
• Opt out of having their data processed
• Request copies of their data
• Instruct a company to stop using their data

However, these rights are far from unlimited, and the Utah Legislature carved out several exemptions for broad classes of data, data processors, and data collectors.

Is UCPA applicable to my business?

To check whether the UCPA will apply to your business, you will need to answer the following questions:

1. I conduct my business in Utah; or
2. My business provides products or services that are targeted to consumers who are residents of Utah;
3. My yearly revenue is $25 million or more; and
4. My business does either one or all of the following requisites:
5. During a calendar year, controls, or processes personal data of 100,000 or more consumers; or
6. Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Interpretations:

• If you checked ALL boxes:  Your business is SUBJECT to UCPA.
• If you checked box #1 only:  Your business is SUBJECT to UCPA.
• If you checked boxes 2, 3 & 4:  Your business is SUBJECT to UCPA.
• If you checked any boxes in any other way: Your business is NOT SUBJECT to UCPA.

Is My Business Exempt From UCPA?

My business is exempt from UCPA if my Organization is any of the following:

• • (i) Institutions of higher education
  • (ii) Nonprofit organizations
  • (iii) Government organizations and contractors
  • (iv) Indigenous tribes
  • (v) Air carriers
  • (vi)Organizations covered by the Health Insurance Portability and Accountability Act (HIPAA)
  • (vii) Financial institutions governed by the Gramm-Leach-Bliley Act

Data used by my business is exempted from the UCPA if it does not apply to information that is already subject to the following regulations:

• • (i) Health Insurance Portability and Accountability Act (HIPAA)
  • (ii) Gramm-Leach-Bliley Act
  • (iii) Fair Credit Reporting Act
  • (iv) Driver’s Privacy Protection Act
  • (v) Family Educational Rights and Privacy Act
  • (vi) Farm Credit Act

 Data processed or maintained by my organization is exempt from the UCPA  if:

• • (i) In the course of an individual applying to, or acting as an employee, agent, or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

How Can I Ensure My UCPA Compliance?

The UCPA imposes certain obligations on businesses that collect, process, or sell personal data of Utah residents. To prepare with the UCPA, you should:

• • Determine if your business is subject to the UCPA.
  • Create a clear and accessible privacy policy that includes all required elements.
  • Provide notice and an opportunity to opt out of the processing of sensitive data.
  • Enable consumers to exercise their right to access, delete, portability, and opt-out.
  • Provide a clear and conspicuous notice about the sale of personal data and processing for targeted advertising purposes and how to opt-out.
  • Implement appropriate security measures to protect personal data

How Can GetTerms Assist You

If your business falls under the jurisdiction of the Utah Consumer Privacy Act (UCPA), it’s crucial to begin your compliance preparations well in advance of the December 31, 2023 deadline. This involves a series of actions, including a thorough review of your third-party contracts, crafting a suitable privacy notice, and evaluating your security protocols.

GetTerms offers many features to help you efficiently address numerous items on your checklist, including tailoring your legal policy documentation and generating cookie consent banners. Please take advantage of our GetTerms today to ensure ongoing compliance with the UCPA and other pertinent privacy regulations.